This repository has been archived by the owner on May 26, 2020. It is now read-only.
jwt_get_secret_key check if user exists #384
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…h a deleted account tries to access the website
lahim
suggested changes
Sep 6, 2018
| key = str(api_settings.JWT_GET_USER_SECRET_KEY(user)) | ||
| return key | ||
| except User.DoesNotExist: | ||
| pass |
There was a problem hiding this comment.
jwt.InvalidTokenError() exception should be raised, for sure there is not place for pass statement. Please take a look into the BaseJSONWebTokenAuthentication class where InvalidTokenError exception is handled.
| return key | ||
| try: | ||
| user = User.objects.get(pk=payload.get('user_id')) | ||
| key = str(api_settings.JWT_GET_USER_SECRET_KEY(user)) |
There was a problem hiding this comment.
This code should be outside of this try ... except block. So it should look like below:
try:
user = User.objects.get(pk=payload.get('user_id'))
except User.DoesNotExist:
raise jwt.InvalidTokenError()
else:
return str(api_settings.JWT_GET_USER_SECRET_KEY(user))
|
Any ETA on when this will be merged? I ran into the same issue with a deleted user. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When a user with a deleted account tries to access the website with a JWT that is still valid, it causes an error 500. This checks if the user with the given pk exists, and if not, it will return the
api_settings.JWT_SECRET_KEYinstead of the deleted user's secret key